[原文]Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.

-
漏洞信息 (F83218)

This Metasploit module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.

-
不受影响的程序版本

-
漏洞讨论

Nullsoft SHOUTcast is prone to a remotely exploitable format string vulnerability. The vulnerability is exposed when the server attempts to handle a client request for a file.

Successful exploitation may allow execution of arbitrary code in the context of the server process. This could also be exploited to crash the server and, possibly, to read process memory (which could increase reliability of an exploit).

This issue was reported to exist in version 1.9.4 on Linux. It is likely that versions for other platforms are also affected by the vulnerability, though it is not known to what degree they are exploitable. Earlier versions of the software are also likely affected.

-
解决方案

Gentoo has released an advisory to provide updates for this issue. Updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.5"